Encrypting Files on Android with Facebook Conceal

Facebook has open sourced Conceal, a set of Java APIs for file encryption and authentication on Android. Conceal uses a subset of OpenSSL’s algorithms and predefined options in order to keep the library smaller, currently being 85KB.

The library targets older Android devices, from Froyo to Jelly Bean, on which the performance is much better than Android’s native support, according to Facebook:

Google has introduced support for OpenSSL in KitKat, but the default Cipher Stream “does not perform well”, according to Facebook; “when replaced with our Cipher stream (see BetterCipherInputStream), the default implementation is competitive against Conceal.”

The following code snippet shows how to encrypt files with Conceal:

// Creates a new Crypto object with default implementations of
// a key chain as well as native library.
Crypto crypto = new Crypto(
new SharedPrefsBackedKeyChain(context),
new SystemNativeCryptoLibrary());
// Check for whether the crypto functionality is available
// This might fail if Android does not load libraries correctly.
if (!crypto.isAvailable()) {
return;
}
OutputStream fileStream = new BufferedOutputStream(
new FileOutputStream(file));
// Creates an output stream which encrypts the data as
// it is written to it and writes it out to the file.
OutputStream outputStream = crypto.getCipherOutputStream(
fileStream,
entity);
// Write plaintext to it.
outputStream.write(plainText);
outputStream.close();

Conceal can be used to encrypt large files, Facebook using it to encrypt data and images on phone/tablet’s SD card.

Using .Net cyphers that come with Xamarin (with F#) on Android. Performance is reasonable for the need but I have not done any benchmarking.

A key requirement was to securely transport sensor private data back to the mother ship so used public-private key pair.

The app generates a random symmetric key and encrypts the data soon after it is captured with this key. The symmetric key is then encrypted with the public key and then sent along with the encrypted data. The data is only decryptable in a secure location which has the private key.

The problem with using symmetric keys is that it has to be stored on the app and can be recovered by a determined hacker or malware. Also if the key is not changed it can be recovered using statistical means if enough encrypted data is analyzed.